We also have a problem to scan outgoing mail. It seems like a user on...
our server is making scripts to send out spam to a large list of AOL
users in the "Cc" part that we are still trying to track them down. The mail header looks as it was sent from our local 127.0.0.1 from
[EMAIL PROTECTED] user, so we can't block user or ip address.
We checked the maillog. But the session shows as [127.0.0.1] 127.0.0.1. What config did you put in sendmail to make it shows more?
If the log shows the connection as coming from [EMAIL PROTECTED] on 127.0.0.1, it's likely that the mail really is coming from a script on your web server. As far as sendmail is concerned, it *is* local.
If you have some sort of webmail system (like the original poster), it may write its own logs, which could help you find the source. And if someone's calling a script via HTTP, the request should show up in your apache logs. You'll probably have to look by time, rather than content.
I had considered the other's suggestion to use a wrapper for sendmail, but looking at the dependencies of /usr/sbin/sendmail, it seems like a lot of work to replace it with the wrapper as everyone knows the location of /usr/sbin/sendmail already.
You should be able to rename the sendmail binary, then place your wrapper script at /usr/sbin/sendmail. That way anyone who tries to call it at the usual place gets the wrapper.
-- Kelson Vibber SpeedGate Communications <www.speed.net>
